Spoofing Email Addresses and Attachments - Linux versus Windows

[wa_desert_rat]

Phishing is an attack that basically tries to convince a computer user that something he-or-she wants is just a click away. In order to succeed, the user being attacked has to give up something of value to the attacker. It could be their user name and password to their bank account or just allowing an installation of a program that will take complete control over their computer without them knowing it.

 

In almost every Windows machine out there, that user has full Administrator privileges by virtue of having their user name in the "Administrators" group. Check your own computer if you don't believe me. Go to Control Panel, and Users and you'll see that you are almost certainly a member of the Administrators group. All you have to do to allow an installation of malware is click on the "yes" button.

 

In Linux the only user who operates as the Administrator is "root" and most Linux distributions do not allow users to do root commands unless they go through a procedure called "sudo" which includes specifically giving their password (again) and agreeing to the action.

 

A big part of phishing is making things look reasonable. An email with a link on it from your bank will lead to a web site that looks like your bank's website. Or a link to a malicious program might appear to be a photograph of your sister's new baby. The way Windows and Linux deal with these links is not the same and is part of why a phishing attempt on Linux is more difficult to get away with.

 

Windows can execute (e.g.: run) programs based on their extension or their file-type. The letters after the dot tell Windows what to do with that file. We all know that iexplore.exe will start Internet Explorer. The three classic file types that are executable are .bat, .com and .exe. But there are dozens more! A hacker can include a program inside a .jpg photo, for instance.

 

This webpage explains it in detail: http://www.howtogeek.com/127154/how-hackers-can-disguise-malicious-programs-with-fake-file-extensions/

 

But it gets worse. Because Windows, by default, hides the "extension" (those letters after the dot) so when you use Outlook or Internet Explorer you might only see "my_baby.jpg" but the real file is "my_baby.jpg.exe".

 

Linux (and Unix) do not act that way. In order to be executable a file has to have the appropriate "attribute". In the attributes for a file are letters which tell what a user can do with a file; read it, execute it, or nothing (not even see it). So Linux won't try to execute my_baby-jpg.exe at all. Even if it were a file that Linux could otherwise run because files that are downloaded are not give the attribute for executable; only readable.

 

So when you see me writing about how it's more difficult to be attacked in Linux than it is in Windows you'll have some idea of what I'm referring to.

 

WDR

[skp51443]

And that is just the default install of Linux, the equivalent of running Windows with no anti-virus program. If you add one or more of the available Linux security applications, AppArmor or Security Enhanced Extensions it is almost impossible for a user to accomplish more than messing up their personal files and settings. So fat the threats against Linux just don't make it worth the bother of installing either but if they appear or you end up running an at-risk system they are a couple clicks away.

 

You also have the ability to grant Linux users specific approval for a large variety of actions so that someone that needs to do something beyond the basic user functions (like backup or burning a DVD) can be given access to the appropriate and very limited abilities needed for that function. A well set up system will rarely need the actual root user to be us,ed if it is even present on the system, further reducing the risks.